Who is behind the CIA’s hacking tools? Surprisingly ordinary geeks, it seems.
At the start of March came the first part of yet another Wikileaks document dump. This time is details the CIA’s hacking capabilities. The world suddenly feared spooks watching them through their TVs and smartphones. It all made for great headlines.
The Agency has developed scores of interesting projects, not to mention a stash of hitherto unknown zero day vulnerabilities. The dump also gives notes on how to create well-behaved, professional malware. Malware that stands the least chance of detection, analysis and attribution to Langley.
We’ve also learned some useful techniques for defeating antivirus software, which the Agency calls Personal Security Products (PSPs).
Are cyber-scammers creating their own fake news stories to exploit? Jon Thompson investigates cybercrime mis-reporting.
The UK media recently exploded with news of a new phone-based scam. Apparently, all that’s needed for fraudsters to drain your bank account is a recording of you saying “yes”. It runs as follows:
No one publishes successful phishing and ransomware emails. Jon Thompson thinks he knows why spammers fail so often.
Running an email honeypot network, you receive a flood of malicious email every day. Most is littered with glaring errors that point to lazy, inarticulate crooks trying to make the quickest buck from the least effort. When you do come across a rare, well though-out campaign, it shines like a jewel in a sea of criminal mediocrity.
To the average spammer, however, it’s all just a numbers game. He cranks the handle on the botnet, so to speak, and money comes out.
This poses an important question: why, given the quality of most malicious spam, are new ransomware infections and high profile phishing attacks still making headlines almost every single day? Clearly, we’re massively overestimating the amount of effort and intelligence invested by spammers.
With that in mind, what follows is a short list of 17 mistakes I routinely see spammers make. All of them immediately guarantee that an email is malicious. There are others, but these are the main ones. If this list reflects the mistakes found in the spam behind the headlines, then the size yet lack of sophistication of the problem should become apparent.
1. No Subject Header
This error is particularly prevalent in ransomware campaigns. Messages whose payloads have very low VirusTotal scores are being sent with no subject header. Maybe the sender thinks it’ll pique the curiosity of the recipient, but it should also alert spam filters even before they examine the attachment.
2. No Set Dressing
Look at any real communication from a bank, PayPal, a store, etc. It is well formatted, the HTML is clean, the language is clear, and the branding is obvious. Legitimate companies and banks don’t tend to send important messages in plain text.
3. Generic Companies
Generic companies are rare but I do occasionally see them. Who is “the other financial institution” and why has it refused my transaction? Vague, instantiated company names like this, with an accompanying attachment, are clear indicators of spam.
4. Multiple Recipients
This is another example of laziness on the part of spammers. OK, they may have found an open relay to willingly spread messages rather than buy extra time on a botnet, but anything other than a one-to-one sender to recipient ratio should be an instant red flag.
5. Poor Salutation
Much apparently personalised spam doesn’t use a competent salutation, or uses a salutation that is simply the user name part of the email address (i.e.: “Dear fred.smith”). It would take effort to code a script that personalises the messages by stripping off the first name and capitalising the initial. Effort is the enemy of the fast buck.
6. No Body Text
Sending an email with a tantalizing subject header such as “Overdue – Please Respond!” but no body text explaining what or why it’s overdue is as common in commodity ransomware as having no subject header. The attack again relies entirely on the natural curiosity of the recipient, who can and should simply ignore it. Spam filters should also take a keen interest.
7. Auto-translated Body Text
Machine translation has the amusing habit of mapping the grammar of one language onto another, resulting in errors that no native speaker would ever make. Manual translation by a highly fluent speaker is far superior to machine translation, but the translator must also have knowledge of the subject matter for his text to appear convincing. Again, this is effort.
8. The Third Person
This is a great example of a spammer trying to distance himself from his crime. “PayPal has detected an anomaly in your account” and “they require you to log in to verify your account” just look weird in the context of a security challenge. This is supposed to be from PayPal, isn’t it?
9. Finger Trouble
I’m fast concluding that some cybercriminals really do wear thick leather gloves while typing, just like in the pictures. Either that or they’re blind drunk. Random punctuation marks and extra characters that look like they’ve been hit at the same time as the correct ones don’t make a good impression. Simply rejecting emails that have more than a certain percentage of spelling mistakes might prevent many of these messages from getting through.
10. Unexpected Plurals and Tenses
Using “informations” instead of “information” is a dead giveaway for spam and should be blocked when in combination with other indicators. Phrases such as “we detect a problem” instead of “we detected a problem” also stick out a mile as being from spammers.
11. Missing Definite Article
Many spam emails stand out as somehow “wrong” because they miss out the definite article. One recent example I saw read: “Access is blocked because we detect credit card linked to your PayPal account has expired.” An associated Yandex.ru return address gave the whole thing a distinct whiff of vodka.
12. The Wrong Word
“Please review the document and revert back to us immediately”. Revert? Really? Surely, you mean “get back”, not “revert back”. It may be difficult for spam filters to weed out this kind of error, but humans should spot it without difficulty.
13. Misplaced Emphasis
Unusually capitalised phrases such as “You must update Your details to prevent Your Account from being Suspended” look weird. Initial capitalisation isn’t used for emphasis in English sentences, and hints at someone trying to make the message sound more official and urgent than it is.
14. Tautological Terrors
“It is extremely mandatory that you respond immediately”. Not just mandatory but extremely mandatory? Wow, I’d better click that link right away! Urgent calls to action like this overplay the importance of the message in ways that mark them out as fake.
15. Grandiosity
Using grand words where normal ones should appear to make a message sound more authoritative are a dead giveaway. Here’s an example from last September when a gang famously tried to distribute malware on the back of a new media player release: “To solemnise the release of our new software”. Solemnise means to mark with a formal ceremony.
What they really meant was: “To mark the release of our new software”. The whole message was also riddled with the most outrageous auto-translate errors that it made difficult reading.
16. Overly-grand Titles
Why would the Microsoft Chief Support Manager be contacting me personally all the way from the US to give me a refund? Wouldn’t he delegate this important work to a local minion? Similarly, the head of the IMF doesn’t usually spend their days emailing strangers about ATM cards stacked high with cash. Spammers would, though.
17. Obfuscated URLs
If the collar doesn’t match the cuffs, it’s a lie. In other words, if the message contains the name of a high-street bank (for example) and a URL from a shortening service such as bit.ly, spam filters should be blocking the message without question, regardless of the rest of the content.
Running a honeypot, you soon realise there are four types of spam. The first is basically just adverts. Next comes social engineering spam, which is mostly advanced fee fraud. There’s a ton of cash or a pretty girl waiting if you send a small processing fee. By far the largest category is ransomware, but this is closely followed by that perennial favourite, phishing spam.
Phishing works. Its “product” nets huge profits in two ways. First, by direct use of the stolen data. Second, from sales of that data to other criminals. This got me thinking about how to fight back.
Phishing sites tend to be static replicas of the real thing, with a set of input boxes and a submit button. That is their major weakness. Another is that, though the inputs might be scrubbed to remove the possibility of a sneaky SQL injection, the information being entered might not be checked. Who’s to say that the date of birth, password, bank details etc. that you enter are real? What if you were to enter a thousand different sets of bogus information? How about a million, or even ten million?
What I propose is that when a phishing site is discovered, it would be fun to deploy a script to flood it with random data of the appropriate format for each input field. Finding real data in the collected noise would become nearly impossible, and so would help protect the innocent. If such poor-quality data is sold on to third parties, then Mr Big will soon want his money back and probably a lot more besides.
Diluting phished data to homeopathic strengths is one thing, but the general idea could be applied in other ways. One of the main tasks in running a spam honeypot is “seeding”. This involves generating email addresses to accidentally-on-purpose leave in plain sight for later harvesting by spammers. If someone were to set up a honeypot with a huge number of domains pointing to it, and with a huge number of active login accounts, those accounts can be leaked or even sold (with all profits going to charity, naturally!) as being demonstrably live and real. If the buyer tests any of them, they’ll work. Set up the honeypot in enough interesting detail, and Mr Big won’t be able to tell he’s been duped for quite some time.
Phishing is popular because it’s easy, relatively safe for the perpetrator, and highly profitable. Frustrating the efforts of criminals, casting doubt on the phished data being sold, and hopefully causing wars between cybergangs is certainly one potentially very entertaining way of fighting back.
Of course, flooding phishing sites with bogus data may already be quietly happening. I certainly hope so…
What’s the difference between artificial intelligence and machine learning? Put simply, artificial intelligence is the area of study dedicated to making machines solve problems that humans find easy, but digital computers find hard. Examples include driving cars, playing chess or recognising sarcasm.
What does a Trump presidency mean for global cybersecurity? Does Trump’s Cybersecurity Policy exist? Or will it?
Washington is nervous. No one knows if President Trump understands cybersecurity, or whether he’ll listen to those who do.
Impending drama
Some pundits are already suggesting that his first 100 days in office will include a cyber emergency. How he responds is crucial, but his comments so far have instilled little confidence.
“Cyber is becoming so big today, it’s becoming something that a number of years ago, a short number of years ago wasn’t even a word.”
“We have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem. I have a son. He’s 10 years old. He has computers. He is so good with these computers, it’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly doable.”
Trump’s Cybersecurity Policy
To be fair, Trump’s campaign site does say that he’ll order a review of “all U.S. cyber defences and vulnerabilities” by a specially assembled Cyber Review Team formed from “the military, law enforcement and the private sector”. But Washington needs to know if he will implement or even believe the Cyber Review Team’s recommendations. After all, this is the man who, when experts discovered Russian-backed groups attacking the Democratic National Committee, said:
“I don’t think anybody knows it was Russia that broke into the DNC. She’s saying Russia, Russia, Russia, but I don’t — maybe it was. I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, OK?”
Dread
According to The Washington Post, a sense of dread is descending on the US intelligence community. Former CIA director Michael Hayden summed up the mood:
“I cannot remember another president-elect who has been so dismissive of intelligence received during a campaign or so suspicious of the quality and honesty of the intelligence he was about to receive.”
Anti-China-Hacker
Trump’s policy also places an onus on deterring attacks by state and non-state actors, and he has a has a particular thing about China’s hackers. He seems openly irritated by the country’s refusal to observe intellectual property law. His plan here is to:
“Enforce stronger protections against Chinese hackers … and our responses to Chinese theft will be swift, robust, and unequivocal.”
By this logic, it’s apparently difficult to attribute an attack when it’s Russia, but not when it’s China. This kind of thinking will need to change or it could damage superpower relationships at a uniquely dangerous point in world history. Part of the danger is that a sufficiently irked President could order a pre-emptive cyber-strike against China to show everyone who’s boss. How will he pick the right target if he doesn’t listen to his advisors? China’s a very big place, and what looks like state-sponsored hacking to some might in fact turn out to be private enterprise. Such actions could be taken as an act of war, and even a limited cyberwar could leave swathes of the internet useless until rebuilt.
Slip of the tongue
Trump also famously likes to abandon the script and simply ad lib during speeches, but national security depends on secrecy. Will he blurt out something in a speech that gives an enemy state a clue about America’s capabilities or, even worse, her vulnerabilities?
Torture works
Trump’s view that “torture works” could also irreparably damage the relationship between GCHQ and the NSA. Torture is a no-no for the UK. The Cheltenham Doughnut is expressly forbidden from sharing intelligence with countries that openly engage in torture. A change in policy by the US would further compromise the flow of intelligence already put at risk by Brexit. The Open Rights Group also believes that Trump will exert a great deal of influence over the UK’s intelligence community. Retaining skilled infosec talent from abroad is also about to become more of a problem for US companies, because Trump plans a crackdown on H-1B work visas. Taking up the slack means boosting cybersecurity degree courses, but any increase in trained manpower will take time to trickle through. In the meantime, who will fill the skills gap?
Listen
Ultimately, Trump is going to have to stop threatening and promising things he can’t deliver, and start listening to his advisors. To do so, he must leave his preconceptions at the door to the Oval Office and think calmly and clearly before acting. Whether that will happen is anyone’s guess, but it’s not hyperbole to suggest that a huge amount depends on it.
Pundits pontificating about online fraud is all well and good, but what do the banks think, and how do they protect us?
To find the truth, we talked candidly to a branch manager from UK bank NatWest.
SE: First of all, what’s the scale of the online fraud problem from the bank’s perspective?
I won’t lie. It’s massive. We’re always being told about phishing emails, and you can report them to us online. Scam phone calls pretending to be the bank and asking for your account details and passwords are also huge. Just to be sure, we never ask for passwords. No one does Well, no one legitimate anyway.
SE: If you’re scammed can you get your money back?
It all depends. The basic thing is if it’s not a transaction you’ve made, its fraud and we can help. If it’s something you’ve done yourself that’s it, the money’s gone. Where it gets tricky is when you think you’re signing up to a one-off payment but the small print says it’s every month and you don’t realise. It might be cleverly worded, but it’s up to you to read what it is you’re buying. If there’s any doubt, don’t do it or bring it in for us to check.
SE: How do you protect people’s money in general?
The monitoring systems now are really good. They put blocks on cards when something suspicious happens, and block dodgy transactions while we find out if they’re legitimate. Tell us you’re going to France for the week and we’ll know not to block your cards if we see a cash withdrawal from Paris. If you tell us you usually go to France about now then we can keep the card active for you. It’s just when we see things out of the ordinary that the system will react. A lot of the time people get their cards blocked on holiday because they forgot to tell us. It’s a pain for them, but if you tell us what you’re doing it’s usually fine.
We see a lot of “Make $2000 a month from home”-style spam. What’s the scam there?
It’s usually money laundering. A foreign gang wants your bank details to put money into your account, then you send it on to someone either at home or abroad but keep an agreed percentage as commission. It’s an old one, that. Sometimes, they want you to physically receive and send on stolen bank cards as well, or ones that have been obtained fraudulently. But you’re being used. Basically, if you’re caught acting as a money mule, then you’re as guilty as the bloke who gave you the money to carry. We have a legal obligation to report anything over a certain amount transferred from abroad into people’s accounts. Again, it’s one of the things the system looks for that’s out of the ordinary.
Can the banks stop people being duped into sending money to scammers abroad?
You mean like rich Nigerian princes and lottery wins that need a processing fee? At the end of the day, it’s their money. We can only advise. We can say: look, we think this looks like a scam. But if they want to send it abroad then we have to do it for them. If it’s a large amount, we’ll ask them in to sit down and think is this really what they want. [We try to] find out how well they understand what they’re doing and where they’re sending it. We have had cases where people have lost considerable amounts because they’re convinced the online fraud is real.
What’s the most outrageous thing you’ve seen?
I was asked to look at the cash machine outside the branch I was managing once, and there was a piece of wire hanging out of the card slot. That’s all it was. But it prevented the card from being returned, so people walk off thinking the machine’s swallowed it. You pull on the wire and the card pops out. It’s called a Lebanese Loop. Simple and easy. Once you’ve got the card you’ve got the expiry date and the CVV number on the back and you can go shopping.
What’s your personal message to customers?
Basically, it’s always a scam. If it looks like something where you think you can get one over on the sender, it’s still a scam. These people aren’t stupid. No one wants to give you free money. You haven’t won a foreign lottery, either. There’s no pot of gold. They may only want a small processing fee, but if they get a lot of fees, it’s very profitable for them. Start with the idea that everything’s a scam, ask us to confirm anything you get that you don’t understand and you’ll be alright.
What other guidance is there for people?
There’s lots about but it’s a bit scattered. Barclays did a good TV advert about phone scams. We’ve published a really comprehensive leaflet about online scams in conjunction with the police that covers all the different frauds. You can download that, and we have a web site for reporting scams. But if you have any questions the best thing is to just call the bank or walk into a branch and ask. That’s the best thing to tackle online fraud.
IoT security is a mess, but who’s to blame? The tech industry must improve security for the internet of things.
The internet of things is quickly becoming every cybercriminal’s wet dream, especially given the release of the Mirai botnet source code. The cause is shockingly insecure devices, but can shaming manufacturers avert the coming chaos?
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.OkPrivacy policy
All posts
